Thanks we are getting closer. The user and nt_host is the link to the two searches index and inputlookup. The subsearch in the win index the user field has a special character at the end. which I have used this eval command to strip the special character at the end | eval user=replace(user,"[^[:word:]]","")   search index=win EventCode=4725 src_user="*" [ | inputlookup Assets | rename nt_host as user | fields user ] ``` The subsearch above will restrict the search to user=nt_host ``` | stats count by src_user, EventCode, signature, user ``` And this lookup will then fetch the DN - it can be done after the stats as the data does not change for the group by user ``` | lookup Assets nt_host as user OUTPUT nt_host distinguishedName   search index=win EventCode=4725 src_user="*" | stats count by src_user, EventCode, signature, user ``` And this lookup will then fetch the DN - it can be done after the stats as the data does not change for the group by user ``` | lookup Assets nt_host as user OUTPUT nt_host distinguishedName ``` Now remove all the ones that were not in the Assets lookup ``` | where isnotnull(nt_host) Modified the lookup to include the removal of special character. In the events, shows the correct user impacted. Getting close. search index=win EventCode=4725 src_user="*" | eval user=replace(user,"[^[:word:]]","") | stats count by src_user, EventCode, signature, user | lookup Assets nt_host as user OUTPUT nt_host distinguishedName | where isnotnull(nt_host) | fields src_user, EventCode, signature, user, nt_host, distinguishedName Index Inputlookup End Goal src_user EventCode user nt_host distinguishedName src_user EventCode user nt_host distinguishedName service 4725 device1 device1 CN=device1,OUComputers,OU,Agency service 4725 device1 device1 CN=device1,OUComputers,OU,Agency service 4725 device2 device2 CN=device2,OUComputers,OU,Agency service 4725 device2 device2 CN=device2,OUComputers,OU,Agency service 4725 device3 device3 CN=device3,OUComputers,OU,Agency service 4725 device3 device3 CN=device3,OUComputers,OU,Agency service 4725 device4 device4 CN=device4,OUComputers,OU,Agency service 4725 device4 device4 CN=device4,OUComputers,OU,Agency service 4725 device5 device5 CN=device5,OUComputers,OU,Agency service 4725 device5 device5 CN=device5,OUComputers,OU,Agency ... View more

Here is a diagram of what I am trying to accomplish. Not able to get the last 2 columns of end goal to match Index       Inputlookup   End Goal                                 src_user EventCode user   nt_host distinguishedName   src_user EventCode user nt_host distinguishedName service 4725 device1   device1 CN=device1,OUComputers,OU,Agency   service 4725 device1 device1 CN=device1,OUComputers,OU,Agency service 4725 device2   device2 CN=device2,OUComputers,OU,Agency   service 4725 device2 device2 CN=device2,OUComputers,OU,Agency service 4725 device3   device3 CN=device3,OUComputers,OU,Agency   service 4725 device3 device3 CN=device3,OUComputers,OU,Agency service 4725 device4   device4 CN=device4,OUComputers,OU,Agency   service 4725 device4 device4 CN=device4,OUComputers,OU,Agency service 4725 device5   device5 CN=device5,OUComputers,OU,Agency   service 4725 device5 device5 CN=device5,OUComputers,OU,Agency ... View more